It is
not about me. I do have faith in the human race and there are people that I
trust.
It is
about a new security model proposed by Forrester Research in 2010.
Traditional Network Security
The problem with the traditional network
security model is that it assumes anything outside the network is untrusted
while everything inside the network is trusted.
Heavy emphasis is put at the edge for network access control. Once a user is in the network, there is not
much control.
There
is the Role Based Network Control (RBAC) in which based on the credential of a
user and sometimes based on where and when the user is trying to access the
network, a role is assigned to the user after the user successfully
authenticates with proper credential. It is more useful when RBAC is implemented at the application level. To implement RBAC at the network level, security control is still limited.
With
the proliferation of server virtualization, virtual machine can move from one
host to another host. This makes the
application of security control more difficult - where is the perimeter?
Before
we go on we need to spell out 2 definitions:
- East-West traffic: it is the traffic between servers within a datacenter
- North-South traffic: it is the traffic between client and server
Traditional
security model mostly tailor to north-south traffic and not much is done for
east-west traffic.
Zero Trust Security Model
The "Zero Trust" security model is proposed by John Kindervag, a senior research analyst at Forrester Research. His report can be found here (you have to paid to read the full report). Well, we can also listen to John Kindervag talk about this "Zero Trust" model here in YouTube. Actually the name of this security model captured the essence - "Trust no one". From the YouTube video, John Kindervag mentioned 3 concepts for "Zero Trust" security model:
Today let's take a look at VMware and Cisco products that utilizes this "Zero Trust" security model. This security model also protects east-west traffic between servers.
VMware
VMware implemented Zero Trust security model in its NSX product.
VMware NSX is well known as a Software Defined Network (SDN) feature. I have in another post stating that NSX is also a security product and according to Chris King, vice president of product marketing for VMware's Networking and Security Business Unit, a lot of customers show interest in NSX because of its inherited security feature because of it design.
NSX is a network virtualization platform and is able to automate, provision and managed network connectivity in a data center. With NSX there are 3 levels of security that can be accomplished:
Isolation
In traditional network, Access Control List (ACL) is used for isolation. With a virtualized network, the virtual network is by default isolated from the physical network. Each virtualized network are also being isolated with one another. This follows the zero trust principle a the virtualized network level.
Segmentation
In NSX, there is a concept of micro-segmentation. In the traditional network segmentation is done through VLANs. With a virtualized network, segmentation is not limited to a VLAN but can be fine tuned to smaller group of virtualized resource or even to an individual virtual machine. In fact, as this will be explain again later in this post is that micro-segmentation is how VMware achieved the zero trust security principle.
Advanced Segmentation with 3rd party security partner
With service chaining, NSX in a virtualized network can direct the data traffic to 3rd party security appliances for deeper packet inspection and ACL parsing.
The main idea for NSX to accomplish the zero trust security model is to have a distributed firewall (one on each ESXi host) and that traffic is inspected before being sent out to the traffic. Even if 2 VMs are connected to the same vSwitch, the distributed firewall is going to inspect the data traffic before sending to the destination VM. Without the distributed firewall, the 2 virtual machines connected to the same vSwitch are able to pass traffic between each other.
This diagram explain the concept that with the distributed firewall implemented at the hypervisor level, we can accomplished the zero trust security model where all traffic is being inspected and filtered according to the security policy defined:
Cisco
Cisco's Application Centric Infrastructure (ACI) supports the concept of this Zero Trust security model.
As the name of this feature suggests it is all about - Application.
Devices with a common policy is put together as a group. It can be based on application friendly attributes such as OS, patch level, application type, application component or function. Endpoint Group once created can be used to define security zones, trust boundaries or risk profile. In ACI the default is no trust.
Policy Contract
The contract defines how data traffic is delivered between Endpoint Groups (EPG). This is is how the security rules are applied to devices regardless of where they are. In a virtualized environment, virtual machine migration is common. This contract defines filters and any associated action. This is similar to our traditional firewall rules which based on the 5 tuples. Policy contract enforcement for Endpoint Groups can be unidirectional or bidirectional.
Application Network Profile
In the diagram above this is stated as Service Chains. Service chaining is a concept in which it defines the flow of the data traffic from one network service to another service. Service chaining is a hot and important topic for Network Function Virtualization (NFV).
Trust and no trust
I believe the networking industry is catching up with the server and storage virtualization technology. In a network we should trust no one but in our daily life we should have a certain trust level to other people that we come into contact with. Everyday we are creating and updating out "Human Centric Profile" as to who and how much we can trust the people we know.
The "Zero Trust" security model is proposed by John Kindervag, a senior research analyst at Forrester Research. His report can be found here (you have to paid to read the full report). Well, we can also listen to John Kindervag talk about this "Zero Trust" model here in YouTube. Actually the name of this security model captured the essence - "Trust no one". From the YouTube video, John Kindervag mentioned 3 concepts for "Zero Trust" security model:
- All resources are accessed in a secure manner regardless of location
- Access control is on a "need-to-know" basis and is strictly enforced
- Inspect and log all traffic
Today let's take a look at VMware and Cisco products that utilizes this "Zero Trust" security model. This security model also protects east-west traffic between servers.
VMware
VMware implemented Zero Trust security model in its NSX product.
VMware NSX is well known as a Software Defined Network (SDN) feature. I have in another post stating that NSX is also a security product and according to Chris King, vice president of product marketing for VMware's Networking and Security Business Unit, a lot of customers show interest in NSX because of its inherited security feature because of it design.
NSX is a network virtualization platform and is able to automate, provision and managed network connectivity in a data center. With NSX there are 3 levels of security that can be accomplished:
- Isolation
- Segmentation
- Advance Segmentation with 3rd party security partners
Isolation
In traditional network, Access Control List (ACL) is used for isolation. With a virtualized network, the virtual network is by default isolated from the physical network. Each virtualized network are also being isolated with one another. This follows the zero trust principle a the virtualized network level.
Segmentation
In NSX, there is a concept of micro-segmentation. In the traditional network segmentation is done through VLANs. With a virtualized network, segmentation is not limited to a VLAN but can be fine tuned to smaller group of virtualized resource or even to an individual virtual machine. In fact, as this will be explain again later in this post is that micro-segmentation is how VMware achieved the zero trust security principle.
Advanced Segmentation with 3rd party security partner
With service chaining, NSX in a virtualized network can direct the data traffic to 3rd party security appliances for deeper packet inspection and ACL parsing.
The main idea for NSX to accomplish the zero trust security model is to have a distributed firewall (one on each ESXi host) and that traffic is inspected before being sent out to the traffic. Even if 2 VMs are connected to the same vSwitch, the distributed firewall is going to inspect the data traffic before sending to the destination VM. Without the distributed firewall, the 2 virtual machines connected to the same vSwitch are able to pass traffic between each other.
This diagram explain the concept that with the distributed firewall implemented at the hypervisor level, we can accomplished the zero trust security model where all traffic is being inspected and filtered according to the security policy defined:
image source: http://wahlnetwork.com/wn/wp-content/uploads/2014/08/nsx-firewall-yes.jpg
Cisco
Cisco's Application Centric Infrastructure (ACI) supports the concept of this Zero Trust security model.
As the name of this feature suggests it is all about - Application.
- Endpoint Groups (EPG)
- Policy Contract
- Application Network Profile
image source: https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW0Iql3smClfr6IFq9HOoNyFuW3HSslh5GjTGqyhkuZif90vZW8xjGCEMAMKErB3L6FfM8mnWrameSER9ChsJVQ2LKTLEZLR6JfR9Ko_PMuzftb21dZxObYRIfLh9WVjf4lD7052xXweE/s1600/cisco_aci_PolicyModelForSecurity.jpg
Policy Contract
The contract defines how data traffic is delivered between Endpoint Groups (EPG). This is is how the security rules are applied to devices regardless of where they are. In a virtualized environment, virtual machine migration is common. This contract defines filters and any associated action. This is similar to our traditional firewall rules which based on the 5 tuples. Policy contract enforcement for Endpoint Groups can be unidirectional or bidirectional.
Application Network Profile
In the diagram above this is stated as Service Chains. Service chaining is a concept in which it defines the flow of the data traffic from one network service to another service. Service chaining is a hot and important topic for Network Function Virtualization (NFV).
Trust and no trust
I believe the networking industry is catching up with the server and storage virtualization technology. In a network we should trust no one but in our daily life we should have a certain trust level to other people that we come into contact with. Everyday we are creating and updating out "Human Centric Profile" as to who and how much we can trust the people we know.
Reference:"Cisco ACI Security: A New Approach to Secure the Next-Generation Data Center." Cisco. N.p., n.d. Web. 13 Mar. 2015.
Egy, and White. Data Center Micro-Segmentation (n.d.): n. pag. Web.
Egy, and White. Data Center Micro-Segmentation (n.d.): n. pag. Web.
Nice knowledge gaining article. This post is really the best on this valuable topic.
ReplyDeletereal estate blockchain
Amazing Post. The article is very much informative. Do update more.
ReplyDeleteSalesforce Training in Chennai
Salesforce Training
Salesforce Training Institute in Chennai
Salesforce Course in Chennai
Appreciating the persistence you put into your blog and detailed information you provide.
ReplyDeleteAws training chennai | AWS course in chennai
Rpa training in chennai | RPA training course chennai
oracle training chennai | oracle training in chennai
php training in chennai | php course in chennai
Css training in chennai | Css course in chennai
It’s great to come across a blog every once in a while that isn’t the same out of date rehashed material. Fantastic read.
ReplyDeleteData science Course Training in Chennai |Best Data Science Training Institute in Chennai
RPA Course Training in Chennai |Best RPA Training Institute in Chennai
AWS Course Training in Chennai |Best AWS Training Institute in Chennai